Back when the admins at my current employer migrated to AD from Novell, they were not very knowledgable about AD. When having some issues loading some applications, instead of making users the admins of their machines, they added a handful of users to Domain Admins to install some things (I know!).
When you add someone to an administrative group, their account gets an admincount attribute. For information on this attribute and the adminSDholder object that it works in conjunction with, check here:
http://activedirectoryfaq.blogspot.com/2007/09/authentication-and-authorization.htmlWhen you add someone to an administrative group, their account is giving an admincount of 1. This prevents account operators or people that have been given delegated authorites from changing passwords or resetting administrative accounts. Typically, when you remove someone from an admin group, the admincount is reset.
Up to 2000 SP3, the admincount was not reset. SP4 addressed the problem and it'sno longer an issue. The problem now is that there are 30 to 40 accounts that were added to domain admins back in 2000 SP2. These accounts are not resetting.
We found a script from MS that is supposed to go and and change everyone that is not in admin group but we are hesitant to run it on the entire domain. We tested the script once in a test environment and it didn't seem to work. We are having a hard time recreating the problem because we dont have a 2000 server install from SP3 or earlier.
Our thinking right now is that maybe if we add one of the problem accounts to an administrative group, let it sit long enough to add the attribute, then removing them, it will clear. Has anyone else run across this issue by chance?
Start Free Trial
